sobota, 21 maja 2016

Pentester Lab CTF - From SQLi to PostgreSQL shell

If you're looking for cool CTF's that you can play offline (or during the travel) this site is definitely for you. :) Today we will try if there is a way to get shell on the VM box prepared by Pentester Lab.
Thanks for preparing this!

Run and go
VM is ready, running, so let's scan it:

Ok, found Apache, let's check if there is a vulnerability to exploit:

Looks like there is, and it is SQL Injection in PostgreSQL (check the function name in error, pg* suggest that this is psql). Fine, let's run sqlmap against it:

Ok, so id parameter is vulnerable to sql injection attacks:

AFAIK there is no way to access other shell than 'sql-shell' (via sqlmap), so we will use this one to obtain more information from the database:

Good. We've got an admin's password. To crack it we will use online password 'cracker' called...
Google ;)

Let's find out if we can use it somewhere on our target web:

And... we're in!

Next we need to upload shell. As there is an upload functionality we can try to exploit it to upload PHP shell (remember that cool reverse PHP shell you can find here?)

I could not upload PHP file. I was wondering what am I doing wrong. Answer was simple.
I did not upload .htaccess file with my own settings. So, now it's time to do that:

Our shell is working now:

Ok so now it's time to reverse shell. I think that this VM was not designed to root it, so this is the end of this case.

If you have any questions or ideas of how this box can be attacked, feel free to mail me or just leave a comment below.


Brak komentarzy:

Prześlij komentarz